Zach Crosman

**Name of the Vulnerable Software and Affected Versions** OPEXUS eCasePortal versions prior to 9.0.45.0 **Description** OPEXUS eCasePortal allows an unauthenticated attacker to access and manipulate user-uploaded files. An attacker can navigate to the ''Attachments.aspx'' endpoint and, by iterating through predictable values of the `formid` parameter, download or delete existing files, and upload new ones. The issue stems from an Insecure Direct Object Reference (IDOR) condition. **Recommendations** Versions prior to 9.0.45.0 should be updated to version 9.0.45.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eComplaint versions prior to 9.0.45.0 **Description** The application allows an attacker to access the 'DocumentOpen.aspx' endpoint and potentially download any uploaded files. This is possible by iterating through predictable values of the `chargeNumber` parameter. **Recommendations** Update OPEXUS eComplaint to version 9.0.45.0 or later.